Review of Essential SNMP, 2nd Ed Posted

Amazon.com just posted my four star review of Review of Essential SNMP, 2nd Ed. From the review:Essential SNMP, 2nd Ed (ES2E) fills a gap in being a modern book about an important management protocol. SNMP is used extensively by network management stations (NMS) like Nagios, which is now the subject of two independent books. E2SE does a good job covering SNMP issues important to administrators and NMS users. However, the book's organization and...

Read More

Sending and Receiving SNMP Traps

SNMP is turning into more voodoo than I expected. I decided to document the following examples for future reference.SNMP traps are messages sent from agents to network management systems (NMS). A simple trap receive is Net-SNMP's snmptrapd. I started it as shown so I could watch messages roll in.orr:/root# snmptrapd -f -Lo2006-08-31 21:45:50 NET-SNMP version 5.2.3 Started.As you can see, snmptrapd listens on port 162 UDP.orr:/home/richard$ sockstat...

Read More

Updating Cisco Switch to Support Encrypted SNMP v3

I realized I had an IOS image for my Cisco switch that supported crypto, as required for encrypted SNMP. I decided to reflash my switch to add this support.This is an example of a blog entry for my future reference. I don't expect any Cisco-ites to learn anything from this.First I see what version of IOS is installed.2950T-24#show verCisco Internetwork Operating System Software IOS (tm) C2950 Software (C2950-I6Q4L2-M), Version 12.1(13)EA1, RELEASE SOFTWARE (fc1)Copyright (c) 1986-2003 by cisco Systems, Inc.Compiled Tue 04-Mar-03 02:14 by yenanhImage...

Read More

SNMP v3 on Cisco Switch

Using these instructions I set up SNMP v3 on my Cisco 2950-T switch.2950T-24>enablePassword: 2950T-24#conf t2950T-24(config)#snmp-server view readview internet included2950T-24(config)#snmp-server group readonly v3 auth read readview2950T-24(config)#snmp-server user richard readonly v3 auth md5 bejtlichpass Adding an snmpv3 user could cause a bootup delay,do you wish to continue? (y/n)[confirm]y2950T-24(config)#exit2950T-24#I was not able to use DES encryption because the switch does not have a crypto image. This output has the clues I need...

Read More

SNMP Comments Part II

Earlier today I described how to modify the sysLocation MIB entry using SNMP v1 or v2c. I can do so with SNMP v3 too. Here is the syntax, followed by packet captures. I disabled encryption so we could read the protocol.orr:/home/richard$ snmpset -v 3 -u richard -l authNoPriv -a MD5 -A bejtlichpass 127.0.0.1 sysLocation.0 s ManassasSNMPv2-MIB::sysLocation.0 = STRING: ManassasHere is the SNMP v3 set.Simple Network Management Protocol msgVersion:...

Read More

SNMP v1, v2c, and v3

The book pictured at left spends more time on SNMP v1 and v2c than it does on SNMP v3. For example, it provides packet captures for v1 and v2c but not v3. SNMP v1 is everywhere, but we should use SNMP v3 where possible.I thought it would be helpful to show all three formats in one place.Here is my snmpd.conf for SNMP v1 and v2c.############################################################################# snmpd.conf## - created by the snmpconf...

Read More

SNMP Comments

I've been reading the book pictured at left, which I hope to review with the next few days. In the text they show examples using Net-SNMP tools to read and change system attributes using SNMP. One of the examples involves something like the following. They show modification of the sysLocation value.orr:/home/richard$ snmpget -v 1 -c read 127.0.0.1 sysLocation.0SNMPv2-MIB::sysLocation.0 = STRING: somewhereHere I'm reading the system location. ...

Read More

September Issue of (IN)SECURE Magazine Posted

Mirko Zorz told me a new issue (IN)SECURE Magazine is available online as Issue 1.8 September 2006 (.pd...

Read More

FreeBSD Snort 2.6.0 Port Available

The FreeBSD security/snort port now offers 2.6.0. Just run portsnap fetch && portsnap update and you're ready. I'm not sure if/when Snort 2.6.0.1 will be added to the ports tree. I haven't tried 2.6.1 Beta, y...

Read More

Attacks Against WEP and Bump Keys

Any security professional should know that Wired Equivalent Privacy is broken. However, thanks to Alan Saqui's blog I learned of another attack method that completely devastates WEP. At almost the same time Brandon Greenwood sent me a link to this YouTube video about bump keys. This is an attack against physical locks that succeeds with minimal effort against most locks on the market. It was publicized in the United States at Hope 6 last month by Barry Wels of The Open Organization of Lockpickers (TOOOL) and Marc Tobias. MSNBC and Slashdot...

Read More

Pandemic Reporting Like Digital Security Incident Reporting

The 12 August 2006 issue of the Economist featured the story Global Health: A Shot of Transparency (subscription required). It reminded me of the state of reporting digital security incidents.At the moment, the world's pandemic-alert system is distressingly secretive. Some countries, such as Vietnam, have been fairly open about new outbreaks of the sorts of infectious disease that might lead to pandemics, and have even invited foreigners in to help diagnose the problem. Most, however, have not been so forthright. Public-health experts point to...

Read More

Virtual Desktop Infrastructure Seminar

Last week I attended a seminar featuring VMware and Wyse pitching their Virtual Desktop Infrastructure. (Is it just me or does VMware's site seldom render properly in Firefox?) The Wyse rep passed around the Wyse S10 pictured at left. It lists for $299, "runs BSD" (called "ThinOS"), and features a 450 MHz AMD Geode CPU. Although it has USB ports you can't use them for thumb drives or CD-ROM drives. (More powerful units support those devices.) It has a PPTP client with support for SSL VPNs on the product roadmap. Also on the roadmap is 802.1X,...

Read More

Atom Feed Truncated -- Not My Fault

If you're subscribed to taosecurity.blogspot.com/atom.xml, sometime today Blogger decided to post summaries and not full stories. I changed nothing, I have full content publishing selected, and I even republished the whole blog. The RSS feed at taosecurity.blogspot.com/rss.xml is publishing whole content though.Update: It looks like the Atom feed fixed itse...

Read More

Notes from Cisco TV on CCNP

I'm listening to the first episode of CCNP TV. It's not really TV, more like slides plus audio. I'm listening because I wanted to know about the CCNP changes mentioned earlier. The new material will all use Cisco IOS 12.4. I found this change interesting: assume I earn my CCNP; in the future, I can recertify using any Professional level exam, like one from CCSP.Mixing and matching of old and new exams will be allowed within the guidelines explained...

Read More

Review of Inside Network Perimeter Security, 2nd Ed Posted

Amazon.com just posted my three star review of Inside Network Perimeter Security, 2nd Ed. From the review:I first looked at Inside Network Perimeter Security, 2nd Ed (INPS:2E) for my blog, in May 2005. I decided to try reading it this week because I've been reading books on related topics. Individually, the INPS:2E authors largely know their craft. Unfortunately, the book is so poorly organized and diffused that I don't know why other reviewers...

Read More

Again, External Threat Is More Prevalent

I almost fell out of my chair when word of the following story reached my Bloglines account: Study: Rethink the Outsider Threat. I published my thoughts on the prevalence of external threats in my first book, and I reiterated those thoughts recently. Now I appear to have some outside help. From the article:The report took data from the Department of Justice Computer Crime and Intellectual Property Section's network intrusion and data-theft prosecutions between 1999 and 2006. (See How Much Does a Hack Cost?) Phoenix Technologies commissioned...

Read More

Liveview

Thanks to this SANS ISC story, I learned of Liveview. It's a program that converts disk images made with dd into VMware images. I decided to try the program on one of the images from Real Digital Forensics. We provide two images on the DVD: JBRWWW.dd.gz and BRJDEV.dd.gz. JBRWWW.dd.gz is a Windows image. Since we had to zero out Windows binaries in that image, it can't be booted. BRJDEV.dd.gz is a Linux image. The Liveview Web site shows there...

Read More

Using FCC Filings to Learn About Wireless Cards

One of the cool hints I learned in Ted Wallingford's 802.11 book involved finding your specific hardware in the FCC Equipment Authorization System Generic Search. My Linksys WPC54gv3, for example, has these exhibits. I entered Q87 as the Grantee Code and -WPC54GV3 as the Product Code (including the leading dash). You can get these codes by reading them on your NIC.Using the Internal Photos .pdf, I can see that this NIC uses a Broadcom chipset....

Read More

WildPackets OmniPeek Personal

Three years ago I attended a WildPackets traffic analysis seminar, which I liked. In June WildPackets announced the availability of the free (as in beer) OmniPeek Personal product. I learned of it from Average Admins.After using OmniPeek personal for a short time, I have to say I still prefer Wireshark for straightforward packet analysis. I'm sure I'm going to hear from diehard WildPackets fans that OmniPeek is the cat's meow, but hear me out.I...

Read More

June 2006 Issue of (IN)SECURE Magazine Posted

Yes, I missed this event from two months ago! I just realized that a new edition of Mirko Zorz's (IN)SECURE Magazine is available online as Issue 1.7 June 2006 (.pd...

Read More

NSM Wiki created

David Bianco of Vorant created a Network Security Monitoring Wiki to share information on effective use of Sguil and other NSM tools. You might also like David's blog. If you've got custom queries you run in Sguil, or performance reports, or related issues, please share them on the Wiki. If you have questions about Sguil use, post them to the Sguil users list via email to sguil-users [at] lists.sourceforge.net. Questions on Sguil development should go to sguil-devel [at] lists.sourceforge.net. As always, you can discuss Sguil and NSM on irc.freenode.net...

Read More

Review of Penetration Testing and Network Defense Posted

Amazon.com just posted my three star review of Penetration Testing and Network Defense. This was another disappointment that duped me into trying to read it. From the review:Penetration testing is becoming a hot topic again, but the available books on the subject continue to underwhelm. Penetration Testing and Network Defense (PTAND), published in the fall of 2005, would be a four star book if it had been published two years earlier. Stephen Northcutt,...

Read More

Non-Review: Practical VoIP Security

Here's a first for the TaoSecurity Blog. As mentioned in a pre-review, I planned to read Practical VoIP Security and then write a Amazon.com review. I'd had a bad experience reading VoIP Security, so I hoped this new book would be better. Wrong.My policy for writing Amazon.com reviews is that I read either the whole book, or the vast majority of it. With Practical VoIP Security, I couldn't make it past the first chapter. In fact, by page 4 --...

Read More

Security Engineering Book in Digital Form

I just read at Light Blue Touchpaper that one of my top ten books of the past ten years is now available online. Now you have no excuse not to read this incredible book (reviewed here). It seems funny that the blog commenters asking about making a single .pdf have not heard of Pdftk.Thanks to jimmythegeek for getting this news to me faster than my Bloglines fe...

Read More

More Snort and Sguil Tuning

Let's assume you built a new Sguil sensor and have tuned Snort using advice in my Tuning Snort article. What I like to do next is wait a day or so and then run the following query to look for problematic alert types.mysql> select count(*) as total, event.signature from event where event.status=0 group by event.signature order by total desc;+-------+------------------------------------------------------------------------+| total | signature |+-------+------------------------------------------------------------------------+|...

Read More

NoVA Sec First Meeting Pictures at novasec.org

Paul Zedeck was kind enough to send pictures from the first NoVA Sec meeting last week. Please visit the NoVA Sec Blog for details. I try to avoid cross-posting, so keep an eye on that blog for word on the next NoVA Sec meeti...

Read More

Network Forensics with NetWitness

Ten days ago I had the privilege of attending a day of product training for NetWitness. NetWitness is a real network forensics tool produced by a company of the same name. Anyone who's read my books or attended my training knows I am a big fan of open source tools. NetWitness, however, is built to facilitate investigating network traffic.It's important to differentiate between packet collectors, protocol analyzers, and network forensics tools....

Read More